In her recent webinar on AML Compliance and Practical Management Procedures, Elaine Jackson, an expert in anti-money laundering (AML), gave detailed guidance on one of the most critical aspects of AML frameworks: customer due diligence (CDD). She explained both when firms are required to carry out CDD and the measures that must be applied to ensure compliance with regulatory expectations.

When to Complete Customer Due Diligence

CDD is not a one-off activity but an ongoing obligation, triggered by specific circumstances and risk factors. Jackson highlighted the three-stage process that underpins CDD: identification, risk assessment, and verification.

Initial Triggers for CDD

Under Regulation 27, CDD must be performed when:

• Establishing a new business relationship with a client.
• Carrying out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the Funds Transfer Regulation exceeding €1000.
• Where there is a suspicion of money laundering or terrorist financing.
• Where there is doubt about the adequacy or authenticity of documents or information already obtained.

Ongoing and Event-Driven Triggers

CDD is not limited to onboarding. Firms must also refresh CDD:

• At appropriate times, on a risk-based approach, for existing customers.
• Whenever there is a change in the customer’s circumstances, such as new ownership, changes in beneficial ownership, or expansion into new jurisdictions.
• When transactions are inconsistent with the customer’s normal profile (e.g., sudden spikes in deposits or unexplained shifts in business activity).

Elaine emphasised that firms should prioritise high-risk clients for enhanced due diligence and monitoring, while maintaining proportionate checks for medium- and low-risk customers.

Customer Due Diligence Measures

Once CDD is triggered, the measures to be applied are set out under Regulation 28. These include:

1. Identifying the customer – obtaining key information such as full name, address, date of birth, and legal status (for companies, registration details, directors, and place of business).
2. Verifying identity – ensuring documents are valid and current (e.g., passports, driving licences, national ID cards), supported by address verification (e.g., tax statements, bank statements, council tax letters).
3. Understanding ownership and control – determining who ultimately owns and controls the entity. For companies, this means identifying persons with significant control and mapping ownership structures to prevent disguised beneficial ownership.
4. Assessing purpose and intended nature of the relationship – asking why the customer needs the services, what the business activities are, and how funds will flow.
5. Gathering evidence of source of funds and wealth – for example, proof of inheritance, property sales, employment income, or investment returns. Reluctance to provide such evidence may indicate elevated risk.
6. Applying a risk-based approach – tailoring the extent of CDD based on whether the client is low, medium, or high risk.

• Normal CDD applies to most clients.

• Enhanced CDD applies to high-risk customers (e.g., those in high-risk jurisdictions, cash-intensive businesses, or politically exposed persons outside the UK).

Elaine noted that documentation should not only be collected but stored and evidenced to demonstrate compliance during regulatory reviews.

The Risk-Based Mindset

A recurring theme in Elaine’s guidance is the importance of a risk-based approach. Firms must not treat CDD as a box-ticking exercise. Instead, they should:

• Continuously assess client risk.
• Revisit CDD whenever risks change.
• Document the rationale for their risk rating and the measures taken.

Effective AML compliance depends on both regulatory knowledge and practical, ongoing engagement with clients. A clear understanding of when to apply CDD and how to apply proportionate measures is essential for preventing financial crime and satisfying regulatory expectations.

The contents of this article are meant as a guide only and are not a substitute for professional advice. The author/s accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting or refraining from acting, in connection with the matters dealt with in this article. The information at the time of publishing was accurate and could be subject to final changes.